VMware this week fixed two critical vulnerabilities in jts vCenter Server, used by data centers to manage the VMware vSphere server virtualization platform.
VMware is the world's top cloud system and service management software based on revenue, according to IDC. vSphere is used by 68 percent of companies using server virtualization, with Microsoft's Hyper-V in second place, at 60 percent, according to a 2020 survey by Spiceworks.
This is an example of a remote code execution vulnerability, one of the OWASP top ten.
The vulnerabilities were discovered by Mikhail Klyuchnikov, senior web application security researcher at Positive Technologies.
"There is already scanning of the internet for this vulnerability," he told DCK.
When Positive Technologies released its report on the vulnerability Wednesday, the research firm was able to find more than 6,000 VMware vCenter devices worldwide that were accessible via the internet and had this vulnerability, a quarter of them located in the US.
While exposed systems are the highest and immediate risk, the bigger potential harm comes from internal systems on networks that have been compromised in other ways. According to Positive Technologies, more than 90 percent of VMware vCenter devices are located entirely within the perimeter.
Klyuchnikov recommends that everyone install the patches immediately, whether or not their systems are exposed to the internet.
For external systems, attackers can get access to not only the data that's on those machines but also use that access to move to internal networks.
And even if the vulnerable systems are not exposed to the internet, they can still create security problems if attackers are able to get an internal foothold by some other means, such as by compromising an end-user machine.
Last summer, Positive Technologies released the results of a series of penetration tests in which pentesters were able to breach network perimeters and access local networks at 93 percent of companies.
In its advisory, VMware ranked the new vulnerability in the critical severity range – with a severity score of 9.8, out of a maximum of 10.
The company recommends that companies install security patches immediately if they have vulnerable versions of VMware ESXi, vSphere Client, or vCenter Server in their environment.
If a system cannot be immediately patched, Klyuchnikov recommends that companies isolate it from the internet and also limit internal access, such as by moving it to a VLAN or installing filters to reduce the number of other systems that can connect.
"This is one of the most significant vulnerabilities out there today," he said.
"This vulnerability is critical," said Ilia Kolochenko, CEO at ImmuniWeb, a cybersecurty vendor. "It's really the highest possible risk we have, and exploitation is very simple. A remote non-authenticated actor can just send several HTTP requests and get full control over everything. So it's very high risk."
There is one bright side to this vulnerability, however, that is likely to reduce the amount of damage that attackers can do.
And that is because those organizations that have these systems exposed to the public probably have much bigger problems as well, said ImmuniWeb's Kolochenko.
"These types of systems are not supposed to be publicly accessible," he said. "Organizations that have these systems accessible to anyone on the internet – well, I wouldn't say that they're all grossly negligent, but I would say that they have other challenges and problems and are probably already compromised."
There might be some organizations that are unable to install security patches immediately, "maybe in about 5 percent of use cases," he said.
"In a hospital, for example, you might have a critical system that is maintaining care for patients who require emergency treatment. Sometimes when you install a patch you might crash everything. But I would say that otherwise, in the vast majority of cases – in 95 percent of cases – you should patch as soon as possible."
In those other 5 percent of cases companies should limit access to the vulnerable system.
He also recommends that companies proactively monitor and try to minimize their external attack surface, since more of these types of vulnerabilities are likely to emerge.
"I'm very confident that we still have more undisclosed or undiscovered vulnerabilities," he said. "There are probably people reverse engineering systems, searching for security flaws."
Reducing access by external users or from untrusted internal machines would help mitigate against 99 percent of possible exploitation, he said.